Weiyi Wang,Lang Feng,Zhiguo Shi,Cheng Zhuo,Jiming Chen

DOI: https://doi.org/10.23919/date58400.2024.10546789

2024-01-01

Abstract:Internet of Things (IoT) devices face an escalating threat from code reuse attacks (CRAs) as they can reuse existing code for malicious purpose. Thus a practical cost-effective Control-Flow Integrity (CFI) mechanism for IoT devices is urgently needed. However, existing CFI solutions suffer from impractical-ities, including high performance overhead and a heavy reliance on offline perfect Control-Flow Graph (CFG) generation. To tackle these challenges, we propose a fine-grained dependable CFI scheme for IoT devices that real-time updates the CFG of devices. We evaluate the implementation on RISC-V architectures and the results show that our CFI scheme provides both backward- and forward-edge protection with almost no performance overhead in the case of fixed CFG, negligible power overhead, and low hardware overhead. Compared to the current hardware-assisted CFI designs, our design eliminates the dependence on the offline perfect CFG generation and performs real-time CFG updating for better practicality.

Mustakimur Khandaker,Abu Naser,Wenqing Liu,Zhi Wang,Yajin Zhou,Yueqiang Cheng

DOI: https://doi.org/10.1109/eurosp.2019.00017

2019-01-01

Abstract:Low-level languages like C/C++ are widely used in various applications for their performance and flexibility. Unfortunately, these languages are prone to memory corruption vulnerabilities, leading to control-flow hijacking attacks. Control flow integrity (CFI) is a general principle to enforce run-time control flow of a program to a pre-computed control-flow graph (CFG). While the traditional context-insensitive CFI falls short in protecting critical control transfers, recent context-sensitive CFI research shows promising improvements but has various limitations. We present Control Flow Integrity with Look Back (CFI-LB), a call-site sensitive CFI in which a conventional source-target control transfer is strengthened by a look back into its call-sites (return addresses). CFI-LB features the adaptive call-site sensitivity in which each indirect call has its own level of sensitivity and the multi-scope CFG to improve the security even if a precise context-sensitive static CFG is not available, especially for large programs such as GCC and NGINX. One of the CFGs is constructed by our localized concolic execution, which significantly extends the dynamic CFG with very low false positives. In addition, CFI-LB is the first CFI system explicitly designed to protect its reference monitors from race conditions. We have built a prototype of CFI-LB. The evaluation with SPEC CPU2006 benchmarks and NGINX indicates that CFI-LB has a low-performance overhead (less than 5% on average for the full protection) while increasing the security.

Yutian Yang,Jinjiang Tu,Wenbo Shen,Songbo Zhu,Rui Chang,Yajin Zhou

DOI: https://doi.org/10.1109/tdsc.2023.3334268

2024-01-01

Abstract:Nowadays, code reuse attacks impose a substantial threat to the security of operating system kernels. Control-flow graph-based CFI techniques, while effective, bring considerable performance overhead, thus limiting their practical adoption in real-world products. As an alternative approach, recent research suggests safeguarding the integrity of sensitive pointers as a countermeasure against manipulation attempts. Unfortunately, existing pointer integrity protection schemes only protect sensitive pointers partially and ignore assembly code, leaving protection gaps. To fill up these protection gaps, we propose a novel security concept named full life-cycle integrity , which enforces the integrity of a sensitive pointer at every step on its value flow chain. To realize full life-cycle integrity, we propose three novel techniques, including assembly-aware sensitivity for analyzing assembly code, Merkle PAC tree for protecting interrupt context securely and efficiently, and pointer-grained authentication for defeating spatial substitution attacks. We have developed a practical implementation of comprehensive life-cycle integrity for the Linux kernel, called ”kernel Code Pointer Authentication” (kCPA), which leverages the ARM Pointer Authentication (PAuth) mechanism. This implementation has been extended to the Apple M1 architecture for real-world evaluation on PAuth hardware. Our assessment demonstrates that kCPA effectively mitigates a range of real-world attacks while incurring a minimal 2.5% performance overhead for the Phoronix Test Suite and nearly negligible performance impact for SPEC2017 benchmarks.

Liang DENG,Qing-Kai ZENG

DOI: https://doi.org/10.13328/j.cnki.jos.005017

2016-01-01

Abstract:In commodity OS, the OS kernel runs in the highest privilege layer to manage hardware resources and provides system services. Thus, security-sensitive applications are vulnerable to compromises the underlying untrusted kernel. In this paper, an approach named AppFort is proposed to protect applications from an untrusted OS kernel. To address the high overheads of existing solutions, AppFort makes use of the unique combination of an x86 hardware feature (operand address size), kernel code integrity protection and kernel control flow integrity protection, to intercept and verify both hardware and software operations of the untrusted kernel. As a result, AppFort efficiently protects application's memory, control flows and file I/O, even if the kernel is fully compromised. Experimental results demonstrate that AppFort only incurs very small overhead, which is much better than previous work.

Jiani Li,Donghai Tian,Changzhen Hu

DOI: https://doi.org/10.1109/cis.2015.93

2015-01-01

Abstract:With the rapid development of computer science and Internet technology, software security issues have become one of the main threats to information system. The technique of execution path tracking based on control flow integrity is an effective method to improve software security. However, the dynamic tracking method may incur considerable performance overhead. To address this problem, this paper proposes a method of dynamic control flow enforcement based on API invocations. Our method is based on a key observation: most control flow attackers will invoke the sensitive APIs to achieve their malicious purpose. To defeat these attacks, we first extract the normal execution path of API calls by offline analysis. Then, we utilize the offline information for run-time enforcement. The results of the experiment showed that our method is able to detect and prevent the control flow attacks with malicious API invocations. Compared with existing methods, the system performance is improved.

Jiliang Zhang,Binhang Qi,Gang Qu

DOI: https://doi.org/10.1109/JIOT.2018.2866164

2018-09-19

Abstract:Recently, code reuse attacks (CRAs), such as return-oriented programming (ROP) and jump-oriented programming (JOP), have emerged as a new class of ingenious security threatens. Attackers can utilize CRAs to hijack the control flow of programs to perform malicious actions without injecting any codes. Many defenses, classed into software-based and hardware-based, have been proposed. However, software-based methods are difficult to be deployed in practical systems due to high performance overhead. Hardware-based methods can reduce performance overhead but may require extending instruction set architectures (ISAs) and modifying compiler or suffer the vulnerability of key leakage. To tackle these issues, this paper proposes a new hardware-based control flow checking method to resist CRAs with negligible performance overhead without extending ISAs, modifying compiler and leaking the encryption/decryption key. The key technique involves two control flow checking mechanisms. The first one is the encrypted Hamming distances (EHDs) matching between the physical unclonable function (PUF) response and the return addresses, which prevents attackers from returning between gadgets so long as the PUF response is secret, thus resisting ROP attacks. The second one is the liner encryption/decryption operation (XOR) between PUF response and the instructions at target addresses of call and jmp instructions to defeat JOP attacks. Advanced return-based full-function reuse attacks will be prevented with the dynamic key-updating method. Experimental evaluations on benchmarks demonstrate that the proposed method introduces negligible 0.95% run-time overhead and 0.78% binary size overhead on average.

Cryptography and Security,Hardware Architecture

Hung-Min Sun,Hsun Wang,King-Hang Wang,Chien-Ming Chen

DOI: https://doi.org/10.1109/tc.2011.46

IF: 3.183

2011-01-01

IEEE Transactions on Computers

Abstract:As new vulnerabilities on Windows systems are reported endlessly, it is more practical to stop polymorphic malicious code from exploiting these vulnerabilities by building an behavior-based monitor, rather than adopting a signature-based detection system or fixing these vulnerabilities. Many behavior-based monitors have been proposed for Windows systems to serve this purpose. Some of them hook high-level system APIs to detect the suspicious behaviors of code. However, they cannot detect malicious code that directly invokes Native APIs. In this paper, we present a novel security scheme that hooks Native APIs in the kernel mode. This method effectively prevents malicious code calling Native APIs directly. It introduces an average eight percent computation overhead into the system. Analyses and a series of experiments are given in the paper to support our claims.

Chao Zhang,Tao Wei,Zhaofeng Chen,Lei Duan,Laszlo Szekeres,Stephen McCamant,Dawn Song,Wei Zou

DOI: https://doi.org/10.1109/sp.2013.44

2013-01-01

Security and Privacy

Abstract:Control Flow Integrity (CFI) provides a strong protection against modern control-flow hijacking attacks. However, performance and compatibility issues limit its adoption. We propose a new practical and realistic protection method called CCFIR (Compact Control Flow Integrity and Randomization), which addresses the main barriers to CFI adoption. CCFIR collects all legal targets of indirect control-transfer instructions, puts them into a dedicated "Springboard section" in a random order, and then limits indirect transfers to flow only to them. Using the Springboard section for targets, CCFIR can validate a target more simply and faster than traditional CFI, and provide support for on-site target-randomization as well as better compatibility. Based on these approaches, CCFIR can stop control-flow hijacking attacks including ROP and return-into-libc. Results show that ROP gadgets are all eliminated. We observe that with the wide deployment of ASLR, Windows/x86 PE executables contain enough information in relocation tables which CCFIR can use to find all legal instructions and jump targets reliably, without source code or symbol information. We evaluate our prototype implementation on common web browsers and the SPEC CPU2000 suite: CCFIR protects large applications such as GCC and Firefox completely automatically, and has low performance overhead of about 3.6%/8.6% (average/max) using SPECint2000. Experiments on real-world exploits also show that CCFIR-hardened versions of IE6, Firefox 3.6 and other applications are protected effectively.

Zili Zha,Min Li,Wanyu Zang,Meng Yu,Songqing Chen

DOI: https://doi.org/10.1109/iccnc.2015.7069428

2015-01-01

Abstract:The security of user applications largely relies on the proper execution of the underlying operating system. However, existing commodity OSes are inevitably vulnerable due to their enormous code base containing a whole bunch of bugs that can be easily exploited by attackers. In such situations, a proper way of protecting users' data privacy and integrity at runtime is a paramount task that needs efficient solutions. While quite some efforts, such as Overshadow, SP3, InkTag, and AppShield, have been made to deal with this problem, existing solutions either induce non-trivial performance overhead, or demand modifications to the OS, applications, or the underlying hardware architecture. In this paper, we present AppGuard that can efficiently and feasibly protect user applications even on a compromised OS. AppGuard utilizes the hardware virtualization extensions to achieve such a goal. Compared to the existing solutions, AppGuard does not require any modifications to the application or the OS. Our evaluation results demonstrate that AppGuard can provide effective protection to user applications with much lower performance overhead.

Pinghai Yuan,Qingkai Zeng,Xuhua Ding

DOI: https://doi.org/10.1007/978-3-319-26362-5_4

2015-01-01

Abstract:Code-reuse attacks have become the primary exploitation technique for system compromise despite of the recently introduced Data Execution Prevention technique in modern platforms. Different from code injection attacks, they result in unintended control-flow transfer to victim programs without adding malicious code. This paper proposes a practical scheme named as CFIGuard to detect code-reuse attacks on user space applications. CFIGuard traces every branch execution by leveraging hardware features of commodity processors, and then validates the traces based on fine-grained control flow graphs. We have implemented a prototype of CFIGuard on Linux and the experiments show that it only incurs around 2.9 % runtime overhead for a set of typical server applications.

Donghai Tian,Rui Ma,Xiaoqi Jia,Changzhen Hu

DOI: https://doi.org/10.1016/j.future.2019.05.008

IF: 7.307

2019-01-01

Future Generation Computer Systems

Abstract:Vulnerable kernel extensions are severe threats to the security of modern operating systems. Due to lack of protection mechanism in the kernel space, the kernel extension exploitation could take over the entire operating system’s control. To enhance security and reliability of kernel extensions, many solutions mainly rely on adding the kernel isolation mechanisms to confine the execution behaviors of kernel extensions. However, previous methods suffer from limitations in terms of compatibility and performance cost. To address these issues, we present KEcruiser, a novel control flow protection mechanism for kernel extensions. The basic idea of our approach is to monitor the control flow of a kernel extension and then identify the abnormal execution behavior during run-time. Based on the recent hardware feature, our system can collect the kernel control flow information efficiently. By leveraging the virtualization technology, our security monitor is deployed outside of the target VM so that the kernel control flow can be checked securely. To ensure the monitoring correctness and concurrency, we make use of Lamport’s ring buffer algorithm. Our system is compatible with the existing commodity operating system, and it can protect the running kernel extensions transparently. The experiments show that KEcruiser can effectively identify control flow violation occurred in kernel extensions with small performance cost.

Nai Xia,Bing Mao,Qingkai Zeng,Li Xie

DOI: https://doi.org/10.1007/978-3-540-77505-8_8

2007-01-01

Abstract:Control-hijacking attacks are known as critical threats to software security. Control flow monitoring is a kind of important method to mitigate this problem. In this paper, we present a new method for program control flow monitoring. Based on the static analysis of a program, we apply very simple instrumentation of a progam's source code to encode its runtime function level control flow traces and check the correctness of the traces in the OS kernel. Experiments show that this method has a tiny performance impact and is still highly effective in detecting control-hijacking attacks. We also propose to automatically handle non-standard control flow by learning programs' dynamic profiling data. Our method is hopeful to be enforceable in different environments because it does not depend closely on specific platform features and the underlying techniques can be easily found in many platforms.

Yutian Yang,Songbo Zhu,Wenbo Shen,Yajin Zhou,Jiadong Sun,Kui Ren

DOI: https://doi.org/10.48550/arXiv.1912.10666

2020-10-12

Abstract:Code reuse attacks are still big threats to software and system security. Control flow integrity is a promising technique to defend against such attacks. However, its effectiveness has been weakened due to the inaccurate control flow graph and practical strategy to trade security for performance. In recent years, CPU vendors have integrated hardware features as countermeasures. For instance, ARM Pointer Authentication (PA in short) was introduced in ARMV8-A architecture. It can efficiently generate an authentication code for an address, which is encoded in the unused bits of the address. When the address is de-referenced, the authentication code is checked to ensure its integrity. Though there exist systems that adopt PA to harden user programs, how to effectively use PA to protect OS kernels is still an open research question. In this paper, we shed lights on how to leverage PA to protect control flows, including function pointers and return addresses, of Linux kernel. Specifically, to protect function pointers, we embed authentication code into them, track their propagation and verify their values when loading from memory or branching to targets. To further defend against the pointer substitution attack, we use the function pointer address as its context, and take a clean design to propagate the address by piggybacking it into the pointer value. We have implemented a prototype system with LLVM to identify function pointers, add authentication code and verify function pointers by emitting new machine instructions. We applied this system to Linux kernel, and solved numerous practical issues, e.g., function pointer comparison and arithmetic operations. The security analysis shows that our system can protect all function pointers and return addresses in Linux kernel.

Cryptography and Security,Operating Systems

Hui LI,Xing-shu CHEN,Lei ZHANG,Wen-xian WANG

DOI: https://doi.org/10.3969/j.issn.1671-1122.2014.12.009

2014-01-01

Abstract:Cloud computing is developing fast and widely used, as an important support for cloud computing, virtualization has improved the efifciency of resource utilization and management capability for a platform. As an open source software for virtualization, the unique design and excellent performance make Xen adopted by many could service providers, which are also troubled by the security problems of Xen hypervisor. The privilege interfaces provided by Xen can be utilized by malicious code of virtual machine, which can be used by intruders to attack Xen or virtual machines running above. To solve the problem of hypercalls of Xen to be abused by malicious code inside guest kernel, a method to analyze the execution path of guest kernel is provided, which is used to trace the execution path of guest kernel that has launched this hypercall, compared with the training set constructed at the beginning, preventing hypercalls being misused by malicious code of guest kernel becomes possible. By tracking stack information of guest kernel, the execution path of virtual machine is reconstructed and built up with the help of instruction analysis and symbol table of guest kernel, unexpected execution paths of hypervalls are avoided with this method. We experimented our idea on Xen platform, a new virtual machine was created to get its training set during its running time. Then when this heprcall happens, the corresponding execution path is constructed dynamically, compared with the training set, unforeseen invoking to hypervalls is avoided.

Haibo Chen,Liwei Yuan,Xi Wu,Binyu Zang,Bo Huang,Pen-Chung Yew

DOI: https://doi.org/10.1145/1669112.1669162

2009-01-01

Abstract:Recent micro-architectural research has proposed various schemes to enhance processors with additional tags to track various properties of a program. Such a technique, which is usually referred to as information flow tracking, has been widely applied to secure software execution (e.g., taint tracking), protect software privacy and improve performance (e.g., control speculation). In this paper, we propose a novel use of information flow tracking to obfuscate the whole control flow of a program with only modest performance degradation, to defeat malicious code injection, discourage software piracy and impede malware analysis. Specifically, we exploit two common features in information flow tracking: the architectural support for automatic propagation of tags and violation handling of tag misuses. Unlike other schemes that use tags as oracles to catch attacks (e.g., taint tracking) or speculation failures, we use the tags as flow-sensitive predicates to hide normal control flow transfers: the tags are used as predicates for control flow transfers to the violation handler, where the real control flow transfer happens. We have implemented a working prototype based on Itanium processors, by leveraging the hardware support for control speculation. Experimental results show that BOSH can obfuscate the whole control flow with only a mean of 26.7% (ranging from 4% to 59%) overhead on SPECINT2006. The increase in code size and compilation time is also modest.

Donghai Tian,Xiaoqi Jia,Junhua Chen,Changzhen Hu,Jingfeng Xue

DOI: https://doi.org/10.1109/cc.2016.7781725

2016-01-01

China Communications

Abstract:Heap overflow attack is one of the major memory corruption attacks that have become prevalent for decades. To defeat this attack,many protection methods are proposed in recent years. However,most of these existing methods focus on user-level heap overflow detection. Only a few methods are proposed for kernel heap protection. Moreover,all these kernel protection methods need modifying the existing OS kernel so that they may not be adopted in practice. To address this problem,we propose a lightweight virtualization-based solution that can protect the kernel heap buffers allocated for the target kernel modules. The key idea of our approach is to combine the static binary analysis and virtualization technology to trap a memory allocation operation of the target kernel module,and then add one secure canary word to the end of the allocated buffer. After that,a monitor process is launched to check the integrity of the canaries. The evaluations show that our system can detect kernel heap overflow attacks effectively with minimal performance cost.

Donghai Tian,Xi Xiong,Changzhen Hu,Peng Liu

DOI: https://doi.org/10.1007/978-3-642-18178-8_34

2010-01-01

Abstract:Nowadays Buffer overflow attacks are still recognized as one of the most severe threats in software security. Previous solutions suffer from limitations in that: 1) Some methods based on compiler extensions have limited practicality because they need to access source code; 2) Other methods that need to modify some aspects of the operating system or hardware require much deployment effort; 3) Almost all methods are unable to deploy a runtime protection for programs that cannot afford to restart. In this paper, we propose PHUKO, an on-the-fly buffer overflow prevention system which leverages virtualization technology. PHUKO offers the protected program a fully transparent environment and an easy deployment without the need to restart the program. The experiments show that our system can defend against realistic buffer overflow attacks effectively with moderate performance overhead.

Zili Shao,Chun Xue,Qingfeng Zhuge,Meikang Qiu,Bin Xiao,Edwin H. -M. Sha

DOI: https://doi.org/10.1109/TC.2006.59

IF: 3.183

2006-01-01

IEEE Transactions on Computers

Abstract:With more embedded systems networked, it becomes an important problem to effectively defend embedded systems against buffer overflow attacks. Due to the increasing complexity and strict requirements, off-the-shelf software components are widely used in embedded systems, especially for military and other critical applications. Therefore, in addition to effective protection, we also need to provide an approach for system integrators to efficiently check whether software components have been protected. In this paper, we propose the HSDefender (Hardware/Software Defender) technique to perform protection and checking together. Our basic idea is to design secure call instructions so systems can be secured and checking can be easily performed. In the paper, we classify buffer overflow attacks into two categories and provide two corresponding defending strategies. We analyze the HSDefender technique with respect to hardware cost, security, and performance. We experiment with our HSDefender technique on the simplescalar/ARM simulator with benchmarks from MiBench, an embedded benchmark suite. The results show that our HSDefender technique can defend a system against more types of buffer overflow attacks with less overhead compared with the previous work.

Qiang Hao,Zhun Zhang,Dongdong Xu,Jiqing Wang,Jiakang Liu,Jinlei Zhang,Jinhui Ma,Xiang Wang

DOI: https://doi.org/10.3390/app12157750

2022-01-01

Applied Sciences

Abstract:As technology evolves, embedded systems access more networks and devices, which means more security threats. Existing security-monitoring methods with a single parameter (data or control flow) are not effective in detecting attackers tampering with the data or control flow of an embedded system. However, simply overlaying multiple security methods will result in excessive performance overhead for embedded systems. In this paper, we propose a novel hardware security-monitoring architecture that extracts DI (data integrity) digests and CFI (control flow integrity) tags to generate reference information when the program is offline. To monitor the indirect jumping behavior, this paper maps the legal target addresses into the bitmap, thus saving the search time. When the program is loaded, the reference information and the bitmap are safely loaded into the on-chip memory. The hardware monitoring module designed in this paper will check the DI summary and CFI tags in real time while executing the program. The architecture proposed in this paper has been implemented on the Xilinx Virtex 5 FPGA platform. Experimental results show that, compared with existing protection methods, the proposed approach in this paper can effectively detect multiple tampering-type attacks on the data and control flow of the embedded system, with a performance overhead of about 6%.

Tai Yue,Fengwei Zhang,Zhenyu Ning,Pengfei Wang,Xu Zhou,Kai Lu,Lei Zhou

DOI: https://doi.org/10.1109/tifs.2024.3372816

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Many modern processors have embedded hardware tracing techniques (e.g., Intel Processor Trace or ARM CoreSight). While these techniques are widely used due to their transparency and low overhead, they also bring serious security threats. Attackers can utilize hardware tracing to trace the trusted applications from a non-secure application. Existing protection techniques fail to effectively protect the runtime information when hardware tracing is employed. To counter these threats, in this paper, we propose a novel direction called anti-hardware tracing. Our key idea is to exploit the limitations of hardware tracing: trace buffer overflow can cause trace data loss. We build a model to analyse the overflow and outline three principles for efficient triggering overflows and achieving anti-hardware tracing: numerous branches in the program, high-speed execution of the program, and the high-water mark of the trace buffer. We develop a framework called Armor on ARM Juno R2 to realize our approach. Armor protects software against the trace unit Embedded Trace Macrocell (ETM) in CoreSight by instrumenting protection and loop functions. The protection function detects runtime environments, efficiently fills the trace buffer, and employs various protection strategies like PID (process identifier) replacement and PIE+STRIP+ASLR. Meanwhile, the loop function triggers overflows efficiently based on context-based calculations and anti-ETM loop. Our evaluation demonstrates that the overhead of Armor is 77.31% lower than that of OLLVM [1] on SPEC2006. Armor effectively hides 54.51% of basic blocks across 16 real-world applications, triggering 113× more overflows. Moreover, we showcase two practical applications of Armor. Firstly, we conduct a cryptographic and cross-world attack on GnuPG 1.4.13 RSA private keys using ETM, which can steal entire keys from a program in the Secure world with a single run. Armor successfully reduces leaked bits by 84.5%. Secondly, Armor impedes hardware-assisted fuzzing by reducing throughput by 89.71% and branch coverage by 47.99%.

computer science, theory & methods,engineering, electrical & electronic